The flaw exists in lmadmin due to improper validation of user-supplied data when processing a FLEX_MSG_QUORUM message. An unauthenticated, remote attacker can specify a large, signed 32-bit integer (i.e., 0x7fffffff) in the message to cause the C++ new operator to throw an unhandled exception, resulting in process termination:
.text:005012B3 lea eax, [ebp+int32] ; attacker-controlled; ie: 0x7fffffff
.text:005012B6 push eax
.text:005012B7 mov ecx, [ebp+pos]
.text:005012BA push ecx
.text:005012BB mov edx, [ebp+arg_sebuf]
.text:005012BE push edx
.text:005012BF mov ecx, [ebp+var_28]
.text:005012C2 call obj14_sebufGetBe32 ; return true/false
.text:005012C7 movzx eax, al
.text:005012CA test eax, eax
.text:005012CC jnz short loc_5012D5
.text:005012CE xor al, al
.text:005012D0 jmp loc_50139A
.text:005012D5 ; ---------------------------------------------------------------------------
.text:005012D5
.text:005012D5 loc_5012D5: ; CODE XREF: obj14_Parse_FLEX_MSG_QUORUM+5C↑j
.text:005012D5 mov ecx, [ebp+pos]
.text:005012D8 add ecx, 4
.text:005012DB mov [ebp+pos], ecx
.text:005012DE mov [ebp+var_18], 0
.text:005012E5 cmp [ebp+int32], 0
.text:005012E9 jle short negative_size
.text:005012EB mov edx, [ebp+int32] ; attacker-controlled
.text:005012EB ; 0x7fffffff -> unhandled exception
.text:005012EE push edx
.text:005012EF call ??_U@YAPAXI@Z ; operator new[](uint)
Unhandled exception in 32-bit lmadmin.exe (v11.16.5.1):
(1284.1488): C++ EH exception - code e06d7363 (first chance)
(1284.1488): C++ EH exception - code e06d7363 (!!! second chance !!!)
eax=09cffae0 ebx=08c70c40 ecx=00000003 edx=00000000 esi=03fecba8 edi=09cffb80
eip=7d85c5af esp=09cffae0 ebp=09cffb30 iopl=0 nv up ei pl nz ac po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212
KERNELBASE!RaiseException+0x58:
7d85c5af c9 leave
0:008> kb
ChildEBP RetAddr Args to Child
09cffb30 03fd8a19 e06d7363 00000001 00000003 KERNELBASE!RaiseException+0x58
09cffb70 0401dea6 09cffb80 03fecba8 03fed3e4 MSVCR120!_CxxThrowException+0x5b [f:\dd\vctools\crt\crtw32\eh\throw.cpp @ 152]
09cffb90 005012f4 7fffffff 1e9495d9 0000000f MSVCR120!operator new+0x50 [f:\dd\vctools\crt\crtw32\heap\new.cpp @ 62]
WARNING: Stack unwind information not available. Following frames may be wrong.
09cffbd4 004f58a8 09cffdcc 09cffe48 1e9493b5 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x5adf4
09cffdb8 004f46c6 09cffdcc 09cffe48 1e94906d lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x4f3a8
09cffe60 00536521 1e949081 0954fc04 00000000 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x4e1c6
09cffe8c 00536de5 00000003 08c6cfe8 09cffeb0 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x90021
09cffe9c 005365fd 0954fbd4 00000003 08c6cfec lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x908e5
09cffeb0 00536dc0 00000000 08c6cfe8 09cffecf lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x900fd
09cffed0 00537395 08c6cfe8 09cfff10 0042829b lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x908c0
09cffedc 0042829b 08c6cfe8 1e94911d 09cfff68 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x90e95
09cfff10 004f28e2 08c6cfa0 09cfff44 00630cee lmadmin+0x2829b
09cfff1c 00630cee 1e949149 00000000 0b040c40 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x4c3e2
09cfff44 03fec129 08c6cfa0 2e566c36 00000000 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x18a7ee
09cfff7c 03fec10d 00000000 09cfff94 7dd7343d MSVCR120!_callthreadstartex+0x1b [f:\dd\vctools\crt\crtw32\startup\threadex.c @ 381]
09cfff88 7dd7343d 08c70c40 09cfffd4 7dea9812 MSVCR120!_threadstartex+0x69 [f:\dd\vctools\crt\crtw32\startup\threadex.c @ 359]
09cfff94 7dea9812 08c70c40 44e2d13e 00000000 kernel32!BaseThreadInitThunk+0xe
09cfffd4 7dea97e5 03fec0cc 08c70c40 ffffffff ntdll!__RtlUserThreadStart+0x70
09cfffec 00000000 03fec0cc 08c70c40 00000000 ntdll!_RtlUserThreadStart+0x1b
Proof of Concept
flexera_fnp_lmadmin_msg_282_dos_cve-2020-12080.py
Attached is a PoC to terminate lmadmin.exe. The PoC can be used as follows:
python flexera_fnp_lmadmin_msg_282_dos_cve-2020-12080.py -t -p 27000